mirror of
https://github.com/cisagov/manage.get.gov.git
synced 2025-06-29 15:53:31 +02:00
Add OWASP scanning
This commit is contained in:
Neil Martinsen-Burrell
parent
9f861b3c11
commit
690659c9ba
3 changed files with 148 additions and 2 deletions
19
.github/workflows/security-check.yaml
vendored
19
.github/workflows/security-check.yaml
vendored
|
|
@ -1,4 +1,4 @@
|
|||
name: Django Security Check
|
||||
name: Security Checks
|
||||
|
||||
on:
|
||||
push:
|
||||
|
|
@ -34,3 +34,20 @@ jobs:
|
|||
with:
|
||||
name: security-check-output
|
||||
path: output.txt
|
||||
|
||||
owasp-scan:
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Check out
|
||||
uses: actions/checkout@v3
|
||||
- name: OWASP scan
|
||||
run: docker compose run owasp
|
||||
working-directory: ./src
|
||||
- name: Upload output
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
name: owasp-scan-output
|
||||
path: ./src/zap_report.html
|
||||
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ services:
|
|||
# Tell Django where to find its configuration
|
||||
- DJANGO_SETTINGS_MODULE=registrar.config.settings
|
||||
# Set a local key for Django
|
||||
- DJANGO_SECRET_KEY=feedabee
|
||||
- DJANGO_SECRET_KEY=really-long-random-string-BNPecI7+s8jMahQcGHZ3XQ5yUfRrSibdapVLIz0UemdktVPofDKcoy
|
||||
# Run Django in debug mode on local
|
||||
- DJANGO_DEBUG=True
|
||||
# Tell Django where it is being hosted
|
||||
|
|
@ -71,3 +71,11 @@ services:
|
|||
- app
|
||||
profiles:
|
||||
- pa11y
|
||||
|
||||
owasp:
|
||||
image: owasp/zap2docker-weekly
|
||||
command: zap-baseline.py -t http://app:8080 -c zap.conf -I -r zap_report.html
|
||||
volumes:
|
||||
- .:/zap/wrk/
|
||||
links: ["app"]
|
||||
profiles: ["owasp-scan"]
|
||||
|
|
|
|||
121
src/zap.conf
Normal file
121
src/zap.conf
Normal file
|
|
@ -0,0 +1,121 @@
|
|||
# zap-full-scan rule configuration file
|
||||
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
|
||||
# Active scan rules set to IGNORE will not be run which will speed up the scan
|
||||
# Only the rule identifiers are used - the names are just for info
|
||||
# You can add your own messages to each rule by appending them after a tab on each line.
|
||||
0 WARN (Directory Browsing - Active/release)
|
||||
10003 WARN (Vulnerable JS Library - Passive/release)
|
||||
10010 FAIL (Cookie No HttpOnly Flag - Passive/release)
|
||||
10011 FAIL (Cookie Without Secure Flag - Passive/release)
|
||||
10015 WARN (Incomplete or No Cache-control Header Set - Passive/release)
|
||||
10016 FAIL (Web Browser XSS Protection Not Enabled)
|
||||
10017 WARN (Cross-Domain JavaScript Source File Inclusion - Passive/release)
|
||||
10019 WARN (Content-Type Header Missing - Passive/release)
|
||||
10020 FAIL (X-Frame-Options Header - Passive/release)
|
||||
10021 WARN (X-Content-Type-Options Header Missing - Passive/release)
|
||||
10023 WARN (Information Disclosure - Debug Error Messages - Passive/release)
|
||||
10024 FAIL (Information Disclosure - Sensitive Information in URL - Passive/release)
|
||||
10025 FAIL (Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
|
||||
10026 WARN (HTTP Parameter Override - Passive/beta)
|
||||
10027 WARN (Information Disclosure - Suspicious Comments - Passive/release)
|
||||
10028 FAIL (Open Redirect - Passive/beta)
|
||||
10029 WARN (Cookie Poisoning - Passive/beta)
|
||||
10030 WARN (User Controllable Charset - Passive/beta)
|
||||
10031 WARN (User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
|
||||
10032 WARN (Viewstate - Passive/release)
|
||||
10033 WARN (Directory Browsing - Passive/beta)
|
||||
10034 WARN (Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
|
||||
10035 FAIL (Strict-Transport-Security Header - Passive/beta)
|
||||
10036 WARN (HTTP Server Response Header - Passive/beta)
|
||||
10037 WARN (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
|
||||
10038 FAIL (Content Security Policy (CSP) Header Not Set - Passive/beta)
|
||||
10039 WARN (X-Backend-Server Header Information Leak - Passive/beta)
|
||||
10040 FAIL (Secure Pages Include Mixed Content - Passive/release)
|
||||
10041 WARN (HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
|
||||
10042 WARN (HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
|
||||
10043 FAIL (User Controllable JavaScript Event (XSS) - Passive/beta)
|
||||
10044 WARN (Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
|
||||
10045 WARN (Source Code Disclosure - /WEB-INF folder - Active/release)
|
||||
10047 WARN (HTTPS Content Available via HTTP - Active/beta)
|
||||
10048 FAIL (Remote Code Execution - Shell Shock - Active/beta)
|
||||
10050 WARN (Retrieved from Cache - Passive/beta)
|
||||
10051 WARN (Relative Path Confusion - Active/beta)
|
||||
10052 WARN (X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
|
||||
10053 WARN (Apache Range Header DoS (CVE-2011-3192) - Active/beta)
|
||||
10054 WARN (Cookie without SameSite Attribute - Passive/release)
|
||||
10055 WARN (CSP - Passive/release)
|
||||
10056 WARN (X-Debug-Token Information Leak - Passive/release)
|
||||
10057 WARN (Username Hash Found - Passive/release)
|
||||
10058 FAIL (GET for POST - Active/beta)
|
||||
10061 WARN (X-AspNet-Version Response Header - Passive/release)
|
||||
10062 FAIL (PII Disclosure - Passive/beta)
|
||||
10095 IGNORE (Backup File Disclosure - Active/beta)
|
||||
10096 WARN (Timestamp Disclosure - Passive/release)
|
||||
10097 WARN (Hash Disclosure - Passive/beta)
|
||||
10098 WARN (Cross-Domain Misconfiguration - Passive/release)
|
||||
10104 WARN (User Agent Fuzzer - Active/beta)
|
||||
10105 WARN (Weak Authentication Method - Passive/release)
|
||||
10106 IGNORE (HTTP Only Site - Active/beta)
|
||||
10107 WARN (Httpoxy - Proxy Header Misuse - Active/beta)
|
||||
10108 WARN (Reverse Tabnabbing - Passive/beta)
|
||||
10109 WARN (Modern Web Application - Passive/beta)
|
||||
10202 FAIL (Absence of Anti-CSRF Tokens - Passive/release)
|
||||
2 WARN (Private IP Disclosure - Passive/release)
|
||||
20012 FAIL (Anti-CSRF Tokens Check - Active/beta)
|
||||
20014 WARN (HTTP Parameter Pollution - Active/beta)
|
||||
20015 WARN (Heartbleed OpenSSL Vulnerability - Active/beta)
|
||||
20016 WARN (Cross-Domain Misconfiguration - Active/beta)
|
||||
20017 FAIL (Source Code Disclosure - CVE-2012-1823 - Active/beta)
|
||||
20018 FAIL (Remote Code Execution - CVE-2012-1823 - Active/beta)
|
||||
20019 WARN (External Redirect - Active/release)
|
||||
3 WARN (Session ID in URL Rewrite - Passive/release)
|
||||
30001 WARN (Buffer Overflow - Active/release)
|
||||
30002 WARN (Format String Error - Active/release)
|
||||
30003 WARN (Integer Overflow Error - Active/beta)
|
||||
40003 WARN (CRLF Injection - Active/release)
|
||||
40008 WARN (Parameter Tampering - Active/release)
|
||||
40009 WARN (Server Side Include - Active/release)
|
||||
40012 FAIL (Cross Site Scripting (Reflected) - Active/release)
|
||||
40013 FAIL (Session Fixation - Active/beta)
|
||||
40014 FAIL (Cross Site Scripting (Persistent) - Active/release)
|
||||
40016 FAIL (Cross Site Scripting (Persistent) - Prime - Active/release)
|
||||
40017 FAIL (Cross Site Scripting (Persistent) - Spider - Active/release)
|
||||
40018 FAIL (SQL Injection - Active/release)
|
||||
40019 FAIL (SQL Injection - MySQL - Active/beta)
|
||||
40020 FAIL (SQL Injection - Hypersonic SQL - Active/beta)
|
||||
40021 FAIL (SQL Injection - Oracle - Active/beta)
|
||||
40022 FAIL (SQL Injection - PostgreSQL - Active/beta)
|
||||
40023 FAIL (Possible Username Enumeration - Active/beta)
|
||||
40024 FAIL (SQL Injection - SQLite - Active/beta)
|
||||
40025 FAIL (Proxy Disclosure - Active/beta)
|
||||
40026 FAIL (Cross Site Scripting (DOM Based) - Active/beta)
|
||||
40027 FAIL (SQL Injection - MsSQL - Active/beta)
|
||||
40028 WARN (ELMAH Information Leak - Active/release)
|
||||
40029 WARN (Trace.axd Information Leak - Active/beta)
|
||||
40032 FAIL (.htaccess Information Leak - Active/release)
|
||||
40034 FAIL (.env Information Leak - Active/beta)
|
||||
40035 FAIL (Hidden File Finder - Active/beta)
|
||||
41 FAIL (Source Code Disclosure - Git - Active/beta)
|
||||
42 WARN (Source Code Disclosure - SVN - Active/beta)
|
||||
43 WARN (Source Code Disclosure - File Inclusion - Active/beta)
|
||||
50000 WARN (Script Active Scan Rules - Active/release)
|
||||
50001 WARN (Script Passive Scan Rules - Passive/release)
|
||||
6 WARN (Path Traversal - Active/release)
|
||||
7 WARN (Remote File Inclusion - Active/release)
|
||||
90001 WARN (Insecure JSF ViewState - Passive/release)
|
||||
90011 WARN (Charset Mismatch - Passive/release)
|
||||
90017 WARN (XSLT Injection - Active/beta)
|
||||
90019 WARN (Server Side Code Injection - Active/release)
|
||||
90020 FAIL (Remote OS Command Injection - Active/release)
|
||||
90021 WARN (XPath Injection - Active/beta)
|
||||
90022 WARN (Application Error Disclosure - Passive/release)
|
||||
90023 WARN (XML External Entity Attack - Active/beta)
|
||||
90024 WARN (Generic Padding Oracle - Active/beta)
|
||||
90025 WARN (Expression Language Injection - Active/beta)
|
||||
90026 WARN (SOAP Action Spoofing - Active/alpha)
|
||||
90027 IGNORE (Cookie Slack Detector - Active/beta)
|
||||
90028 WARN (Insecure HTTP Method - Active/beta)
|
||||
90029 WARN (SOAP XML Injection - Active/alpha)
|
||||
90030 WARN (WSDL File Detection - Passive/alpha)
|
||||
90033 WARN (Loosely Scoped Cookie - Passive/release)
|
||||
90034 WARN (Cloud Metadata Potentially Exposed - Active/beta)
|
||||
Loading…
Add table
Add a link
Reference in a new issue